Re: strange problem of "no shared cipher" for no certificate TLS connection

Sun, 16 Apr 2006 20:09:45 -0700 

On Mon, Apr 17, 2006 at 10:20:14AM +0800, Zhang, Long (Roger) wrote:

> Hi, Steve,
> 
> Thanks for your reply. I found no use to add dhparam file to my server
> and client. The connection still could not be setup. I found if I set
> server certificate and private key, the connection could be setup. That
> is, server certificate is required even I used SSL_CTX_set_verify
> to set both server and client mode to SSL_VERIFY_NONE. That realy
> makes me confused. I am using TLSv1 method. And I set ciphersuite to
> ALL:+ADH:+aNULL:+NULL:+eNULL with SSL_CTX_set_cipher_list(), but the
> connection still could not be setup without server certificate. Is
> there anything I can do?

Try: setting the ciphersuite to "ADH". Also, test with s_server and s_client.

$ openssl s_server -nocert -cipher ADH -accept 12345 &
...
$ openssl s_client -cipher ADH -connect 127.0.0.1:12345
CONNECTED(00000003)
-----BEGIN SSL SESSION PARAMETERS-----
MHUCAQECAgMBBAIAOgQgb5EGFC/WTA2O7JYVFxiDqSW4om3UXYWwmFTpu7WKftIE
ME0jydMKoAZxK1cW+QHIF8aYN+ev0CakDWc1PyAiSIeMWTwPsYYRh9rlSp3Xk+uE
86EGAgREQv41ogQCAgEspAYEBAEAAAA=
-----END SSL SESSION PARAMETERS-----
Shared 
ciphers:ADH-AES256-SHA:ADH-AES128-SHA:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5
CIPHER is ADH-AES256-SHA
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 291 bytes and written 198 bytes
---
New, TLSv1/SSLv3, Cipher is ADH-AES256-SHA
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ADH-AES256-SHA
    Session-ID: 6F9106142FD64C0D8EEC9615171883A925B8A26DD45D85B09854E9BBB58A7ED2
    Session-ID-ctx:
    Master-Key: 
4D23C9D30AA006712B5716F901C817C69837E7AFD026A40D67353F202248878C593C0FB1861187DAE54A9DD793EB84F3
    Key-Arg   : None
    Start Time: 1145241141
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

This is an example of a working ADH handshake. Figure out where your
application differs from s_client and s_server.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to